emotet | 3e66c17ed85f736d462323f0042cf3faab1940d89f4d42c08f1b5fe1110f1e31

General

Target

3e66c17ed85f736d462323f0042cf3faab1940d89f4d42c08f1b5fe1110f1e31.exe
Size

149KB
MD5

3cf01a251d7fc7c63e25ab4b9dda0a14
SHA1

856e45a3cd293aa1671434ce92b8c97e802d7983
SHA256

3e66c17ed85f736d462323f0042cf3faab1940d89f4d42c08f1b5fe1110f1e31
SHA512

f0c7954280fd12f53f3e28f593e392ad38a85b6f42be86d4062b89b9d7513ba005ff180c959cca7965e480a2280fc12d33909cb77b719ba7c9f270a72fdac310

Score

10^/10

emotet banker trojan

Malware Config

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Drops file in System32 directory 5 IoCs

Processes:

ipropmheg.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	ipropmheg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	ipropmheg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	ipropmheg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	ipropmheg.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	ipropmheg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

ipropmheg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	ipropmheg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	ipropmheg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	ipropmheg.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

ipropmheg.exe

pid	process
1092	ipropmheg.exe
1092	ipropmheg.exe
1092	ipropmheg.exe
1092	ipropmheg.exe
1092	ipropmheg.exe
1092	ipropmheg.exe
1092	ipropmheg.exe
1092	ipropmheg.exe
1092	ipropmheg.exe
1092	ipropmheg.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

3e66c17ed85f736d462323f0042cf3faab1940d89f4d42c08f1b5fe1110f1e31.exe

pid process

2836 3e66c17ed85f736d462323f0042cf3faab1940d89f4d42c08f1b5fe1110f1e31.exe

pid	process
2836	3e66c17ed85f736d462323f0042cf3faab1940d89f4d42c08f1b5fe1110f1e31.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3e66c17ed85f736d462323f0042cf3faab1940d89f4d42c08f1b5fe1110f1e31.exeipropmheg.exe

description	pid	process	target process
PID 3904 wrote to memory of 2836	3904	3e66c17ed85f736d462323f0042cf3faab1940d89f4d42c08f1b5fe1110f1e31.exe	3e66c17ed85f736d462323f0042cf3faab1940d89f4d42c08f1b5fe1110f1e31.exe
PID 3904 wrote to memory of 2836	3904	3e66c17ed85f736d462323f0042cf3faab1940d89f4d42c08f1b5fe1110f1e31.exe	3e66c17ed85f736d462323f0042cf3faab1940d89f4d42c08f1b5fe1110f1e31.exe
PID 3904 wrote to memory of 2836	3904	3e66c17ed85f736d462323f0042cf3faab1940d89f4d42c08f1b5fe1110f1e31.exe	3e66c17ed85f736d462323f0042cf3faab1940d89f4d42c08f1b5fe1110f1e31.exe
PID 3292 wrote to memory of 1092	3292	ipropmheg.exe	ipropmheg.exe
PID 3292 wrote to memory of 1092	3292	ipropmheg.exe	ipropmheg.exe
PID 3292 wrote to memory of 1092	3292	ipropmheg.exe	ipropmheg.exe

C:\Users\Admin\AppData\Local\Temp\3e66c17ed85f736d462323f0042cf3faab1940d89f4d42c08f1b5fe1110f1e31.exe
"C:\Users\Admin\AppData\Local\Temp\3e66c17ed85f736d462323f0042cf3faab1940d89f4d42c08f1b5fe1110f1e31.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Users\Admin\AppData\Local\Temp\3e66c17ed85f736d462323f0042cf3faab1940d89f4d42c08f1b5fe1110f1e31.exe
  --cc92c71
  2⤵
  - Suspicious behavior: RenamesItself
  PID:2836

C:\Windows\SysWOW64\ipropmheg.exe
"C:\Windows\SysWOW64\ipropmheg.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Windows\SysWOW64\ipropmheg.exe
  --bf82c5df
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1092-120-0x0000000000000000-mapping.dmp

Download
memory/2836-115-0x0000000000000000-mapping.dmp

Download
memory/2836-117-0x0000000000480000-0x0000000000491000-memory.dmp

Filesize
68KB

Download
memory/2836-118-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3292-119-0x0000000000430000-0x000000000057A000-memory.dmp

Filesize
1.3MB

Download
memory/3292-121-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3904-114-0x0000000000430000-0x00000000004DE000-memory.dmp

Filesize
696KB

Download
memory/3904-116-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads